On Sun, Apr 18, 2010 at 10:15 AM, gordon b slater <[email protected]> wrote: > On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote: > >> Interesting; I see similar results for my address space. Two >> addresses, one of which hasn't been attached to a machine for a decade >> and the other a virtual IP on a web server where the particular IP >> never emits connections. Magnitude's only "0.48" for both but still, >> they shouldn't even appear. > > Yep, same here, at two seperate sites. It's in the "reserved for extreme > emergencies" zone at the top of each assigned block. As per house > practice it is tcpdumped 24/7, and has been for the last 4 years. Zero > traffic from it at the perimiter. > > Go figure. > > Gord
Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)? Matt
